FixVibe

// 探测 / 聚焦

CRLF / Response Splitting

If user input lands in a response header, line breaks let the attacker write their own headers.

概要

Response splitting is the network protocol equivalent of finding a typewriter and discovering the carriage-return key works. HTTP headers are delimited by `\r\n`. Any place user input gets concatenated into a header without filtering those bytes, the attacker can end one header line and start another. Modern frameworks strip CR/LF before they ever reach the wire, so most apps are immune by accident — but the bug still appears in custom header-handling code, in proxy layers that forward user-controlled values, and in language features that lag behind framework norms (raw FastCGI bridges, mod_perl, certain Lua patterns, anywhere someone wrote `header('Location: ' + req.query.next)` without the framework's redirect helper).

運作方式

CRLF injection appears when user-controlled text reaches response headers without proper normalization. Attackers may be able to split headers, poison caches, or alter downstream browser behavior.

影響范圍

Cookie injection (session fixation, role escalation if the app trusts cookies for authorization). Cache poisoning across CDN edges, where one attacker request taints responses for every later visitor. XSS via injected Content-Type or HTML body. CRLF in `Location:` headers can also enable open-redirect-style phishing through legitimate-looking flows.

// fixvibe 檢查的內容

FixVibe 檢查的內容

FixVibe checks this class with verified-domain active testing that is bounded, non-destructive, and evidence-driven. Public reports describe the affected surface and remediation. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

铁壁防御

Strip or reject CR (`\r`, `%0d`) and LF (`\n`, `%0a`) in any user input that reaches a response header. Most modern frameworks do this automatically: Express's `res.redirect` rejects line breaks, Django's `HttpResponseRedirect` URL-encodes them, Rails sanitizes header values. The bugs cluster in custom code — proxy handlers, signed-URL generators, OAuth callback constructors, anywhere someone reaches into `res.setHeader` directly. Audit those code paths and pass user input through a strict header-value sanitizer. As a defense-in-depth measure, ensure your CDN normalizes or rejects ambiguous responses (most modern CDNs do this by default; older nginx-as-cache configurations may not). Use HTTP/2 between proxy and origin where possible — HTTP/2 frames eliminate the CR/LF parsing ambiguity entirely.

// 在你自己的應用上跑一遍

放心继續發布,FixVibe 持續幫你看守風险。

FixVibe 像攻击者一樣對你的應用公開面进行压力测試 —— 无代理、无安裝、无信用卡。我們持續研究新的漏洞模式,并把它們转化成实用检查和可直接用于 Cursor、Claude、Copilot 的修複方案。

主動探測
127
本類别中触發的测試
模塊
48
專属 主動探測 检查
每次扫描
487+
跨所有類别的测試
  • 免费 —— 无需信用卡,无需安裝,无需 Slack 通知
  • 只需粘贴 URL —— 我們爬取、探测、生成報告
  • 按严重程度分级,去重至只剩信號
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
運行免费扫描

// 最新检查 · 实用修複 · 安心發布

CRLF / Response Splitting — 漏洞聚焦 | FixVibe · FixVibe